How to get .pem file from .key and .crt files?

后端 未结 10 1905
-上瘾入骨i
-上瘾入骨i 2020-11-22 10:06

How can I create a PEM file from an SSL certificate?

These are the files that I have available:

  • .crt
  • server.csr
相关标签:
10条回答
  • 2020-11-22 10:32

    I was trying to go from godaddy to app engine. What did the trick was using this line:

    openssl req -new -newkey rsa:2048 -nodes -keyout name.unencrypted.priv.key -out name.csr
    

    Exactly as is, but replacing name with my domain name (not that it really even mattered)

    And I answered all the questions pertaining to common name / organization as www.name.com

    Then I opened the csr, copied it, pasted it in go daddy, then downloaded it, unzipped it, navigated to the unzipped folder with the terminal and entered:

    cat otherfilegodaddygivesyou.crt gd_bundle-g2-g1.crt > name.crt
    

    Then I used these instructions from Trouble with Google Apps Custom Domain SSL, which were:

    openssl rsa -in privateKey.key -text > private.pem
    openssl x509 -inform PEM -in www_mydomain_com.crt > public.pem
    

    exactly as is, except instead of privateKey.key I used name.unencrypted.priv.key, and instead of www_mydomain_com.crt, I used name.crt

    Then I uploaded the public.pem to the admin console for the "PEM encoded X.509 certificate", and uploaded the private.pem for the "Unencrypted PEM encoded RSA private key"..

    .. And that finally worked.

    0 讨论(0)
  • 2020-11-22 10:34

    Trying to upload a GoDaddy certificate to AWS I failed several times, but in the end it was pretty simple. No need to convert anything to .pem. You just have to be sure to include the GoDaddy bundle certificate in the chain parameter, e.g.

    aws iam upload-server-certificate
        --server-certificate-name mycert
        --certificate-body file://try2/40271b1b25236fd1.crt
        --private-key file://server.key
        --path /cloudfront/production/
        --certificate-chain file://try2/gdig2_bundle.crt
    

    And to delete your previous failed upload you can do

    aws iam delete-server-certificate --server-certificate-name mypreviouscert
    
    0 讨论(0)
  • 2020-11-22 10:35

    What I have observed is: if you use openssl to generate certificates, it captures both the text part and the base64 certificate part in the crt file. The strict pem format says (wiki definition) that the file should start and end with BEGIN and END.

    .pem – (Privacy Enhanced Mail) Base64 encoded DER certificate, enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----"

    So for some libraries (I encountered this in java) that expect strict pem format, the generated crt would fail the validation as an 'invalid pem format'.

    Even if you copy or grep the lines with BEGIN/END CERTIFICATE, and paste it in a cert.pem file, it should work.

    Here is what I do, not very clean, but works for me, basically it filters the text starting from BEGIN line:

    grep -A 1000 BEGIN cert.crt > cert.pem

    0 讨论(0)
  • 2020-11-22 10:38
    • Open terminal.
    • Go to the folder where your certificate is located.
    • Execute below command by replacing name with your certificate.

    openssl pkcs12 -in YOUR_CERTIFICATE.p12 -out YOUR_CERTIFICATE.pem -nodes -clcerts

    • Hope it will work!!
    0 讨论(0)
  • 2020-11-22 10:41

    I needed to do this for an AWS ELB. After getting beaten up by the dialog many times, finally this is what worked for me:

    openssl rsa -in server.key -text > private.pem
    openssl x509 -inform PEM -in server.crt > public.pem
    

    Thanks NCZ

    Edit: As @floatingrock says

    With AWS, don't forget to prepend the filename with file://. So it'll look like:

     aws iam upload-server-certificate --server-certificate-name blah --certificate-body file://path/to/server.crt --private-key file://path/to/private.key --path /cloudfront/static/
    

    http://docs.aws.amazon.com/cli/latest/reference/iam/upload-server-certificate.html

    0 讨论(0)
  • 2020-11-22 10:41

    A pem file contains the certificate and the private key. It depends on the format your certificate/key are in, but probably it's as simple as this:

    cat server.crt server.key > server.pem
    
    0 讨论(0)
提交回复
热议问题